Looking over IDS logs I noticed something very odd. A client with a USER-AGENT string indicating Firefox running on a Mac (Say: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5), downloading an EXE from a malicious host. A few options came to mind. User-agent switcher, a virus infection Mac via CrossOver or some weird mix with VMware Fusion were all options. It also occurred to me that the same users, desperate to get their porn fix might actually repeatedly download EXEs on a mac to get their ugh, codec.
None of that felt quite right. Then I remembered an older vulnerability where one could cluster bomb the default download directory with arbitray files — to hope a user might click or that you might trigger a secondary vulnerabilty. I can’t find references to this but I decided to check the default behavior of Firefox. As it turns out, if you click to download an EXE, JS initiaties the download dialog, whatever the file actually starts downloading before you click accept. Thus even if you click no/cancel, the file still downloads. Therefore, the network IDS triggers and you see odd things like Macs downloading EXEs.